Download - Lecture 5&6 corporate architecture
Lecture 5 & 6:Corporate ArchitectureNetwork Design & Administration
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Summary of Last Lecture
• Where possible ensure all user workstations are given the same OS build / release.
• Automate the process for speed, simplicity and repeatability.
• Check hardware compatibility if upgrading• If upgrading – Backup!• If installing dual boot and Linux – Backup!
2
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Overview
• Originally, Microsoft provided only standalone PC’s – networks were sold by large vendors with thin client terminals connected to servers.
• Windows for Workgroups allowed small numbers of PC users to work together sharing files and printers.
• NT 3 / 4 provided a Domain concept, whereby certain servers on the network provided centralised directory services.
• Active Directory took this further, by adding layers of hierarchy to cope with large corporate structures.
• Similarly, Linux machines could be used alone, then in loose connectivity, then using Directory Services.
3
Net
wor
k D
esig
n &
Adm
inist
ratio
n
What are Directory Services?[1]
• A database used to administer resources on a network.• Need to make the following basic assumptions:
• The objects in the database are relatively small.• The database will be widely replicated and cached.• The information is mainly attributes.• Access is mainly read, with occasional writes.• Searching is likely to be a frequent operation.
• IETF provided the Lightweight Directory Access Protocol (LDAP) as a way to access the database over a network but also specifies the data schema and search methods for a directory service. 4
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Accounts
Microsoft Domain vs. Workgroup
Domain
Windows Server 2008(Domain Controller)
Windows 7 Client
Windows 7 Client
Windows Server2008
(Member Server -Print Server )
Windows Server 2008(Domain Controller)
Replication
ActiveDirectory
ActiveDirectory
Workgroup
Windows Server 2008
Windows 7 Client
Windows 7 Client
Windows Server2008
(Print Server )
Windows Server 2008
Accounts Accounts
Accounts
Accounts5
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Microsoft Workgroup• A collection of computers interacting informally with no
centralised authority.• Each computer in the workgroup has its own set of local user
account.• User accounts stored locally in a flat-file database called the
Security Accounts Manager (SAM).• Password stored in hashed format.• Question: What’s a hash function?
• If a user needs to access another computer they must have a valid account there too.
• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time.
• Question: are there any limitations with workgroups?
6
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Side bar: Hash Tables• Hash tables provide you with a way of storing mappings of one bit of data to another.
• Some key would provide a value (e.g. h(“Pa$$word”) à 76934856434)• For example, you could use a hash table to associate users names and with their
accounts / passwords.• The names would be unique and somehow provide you with the associated data.
• A hash table will need to provide:• A hash function• A bucket array/list (more on this in 3 slides)
Clark Kent
Lois Lane
Jimmy Olsen
Perry White
ACT#4534
ACT#5675
ACT#6789
ACT#7898?
1
2
3
4
5
6
7
8
9
10
11
127
e.g. h(user name) à user account
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Side bar: Hash Functions• Need to some way of converting a unique key to a value.
• h(n) à v• Easy way – use ASCII
• To calculate the hash value, we do:
• BUT! How do we access element 83,549,193 in our hash table?
87*314 + 104*313 + 105*312 + 116*311 + 101*310 = 83549193 h(“White”) = 83549193
8h(x1) = αh(x2) = α
Why use a large number?
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Side bar: Compression functionThere are two methods:
1. A simple “division method” using modulo arithmetic• Bucket array has a know size (e.g. 1000 places)• Position can be found by i % array length• h(“White”) = 83549193
• But, what happens when multiple hashes point to the same point in the hash table (i.e. collisions)?
• Either use a better compression function and / or implement a hash table using a bucket list/array (next slide).
2. More sophisticated method: MAD (multiply add and divide)• Would produce the position• Collisions can be handled by using:
• Linear probing• Quadratic probing
Investigate in your own time!9
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Side bar: Bucket Arrays• A bucket array is just an array of N size.• However, instead of each element storing one bit of information, the
element provides another array which can grow…
Jack Kent
Clark Kent
Lois Lane
Jimmy Olsen
Perry White
123456789
101112
ACT#4534
ACT#5675
ACT#6789
ACT#7898
ACT#4535
Lucy Lane
ACT#5676
10
Now back to workgroups….
h(f) Better to use a linked list structure to store collisions – will allow indefinite number rather than say n=9
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Microsoft Workgroup• A collection of computers interacting informally with no
centralised authority.• Each computer in the workgroup has its own set of local user
account.• User accounts stored locally in a flat-file database called the
Security Accounts Manager (SAM).• Password stored in hashed format.• Question: What’s a hash function?
• If a user needs to access another computer they must have a valid account there too.
• This can be made simpler by ensuring each user has the same account name and password on each machine – but this costs admin time.
• Question: are there any limitations with workgroups?
11
Note: Hashes values and hash functions are used extensively within the OS.
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Microsoft Domain
• For larger networks (> approx. 10 computers), it is simpler to use a centralised Directory Service that contains a list of the resources available on a network.
• The domain model is hierarchical, and Active Directory Domain Services holds the list that is trusted by all machines on the network.
• Active Directory Domain Services includes:• Database of computers, users, etc.• LDAP services to mediate queries and responses• Kerberos security service• File replication service to ensure redundancy of
domain information12
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Active Directory Data Store physical structure[2]
Interfaces – LDAP, REPL, MAPI, SAM
Directory Service Agent (DSA)
Database Layer
Ntdsa.dll
Extensible Storage Engine (ESE)
Esent.dll
13
LDAP: Lightweight directory access protocolREPL: Replication and domain controller management interfaceMAPI: Messaging APISAM: Security Accounts Manager
Allows access to DB via 4 interface methodsAccess / mod of objects via read / write opsSyntax checking (schema) Maintain schemaInterface between DAS -> DB fileProvides Low-level DB functionality (create, read, write, delete)
General purpose DB engineLow level functions: indexing, transferring & integrity checksTransaction based (i.e. ATOMIC)
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Active Directory Domain Services Logical Structure• This is comprised of the following:
• Partitions• Domains• Domain trees• Forests• Sites• Organisational Units
14
Net
wor
k D
esig
n &
Adm
inist
ratio
n
AD DS Partitions[2]
The AD data store is divided up into a number of logical partitions (also known as naming contexts):
• Domain directory• Configuration directory• Schema directory• Global catalogue (covered in a later lecture)• Application directory
15
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Domains[2]
Domains act as an administrative boundary within the organisation and define the following:
• Replication boundaries• Security policy boundaries• Resource access boundaries• Trust boundaries
16
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Domain Trees• Multiple domains with
contiguous DNS namespaces form a domain tree.
• Aardvark.com is the parent (root domain) in which child domains are created.
aardvark.com
us.aardvark.comeu.aardvark.com
17
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Forests
• Highest level of AD DS logical structure hierarchy.• Forest can contain one or more domain trees
and one or more domain namespaces.
aardvark.com
us.aardvark.comeu.aardvark.com
bison.com
nott.bison.comman.bison.com
Some kind of link!
18
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Other Forest issues -Trust Relationships – Transitive Two-way Trust• Trust allows the resources of one domain to be accessible from
another (can be parent-child or tree-root trusts).• By default, one-way trust (non-transitive trust) is enabled between
domains. • Need to explicitly set two-way for transitive trust.
aardvark.com
us.aardvark.comeu.aardvark.com
bison.com
nott.bison.comman.bison.com
19
Two-way trustone-way trust (bison trusts aardvark)
U1
Login
U1 Account
U2
LoginU2
Account
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Shortcut Trusts• Two-way transitive trust between
aardvark.com and bison.com• Example: a user in the
eu.aardvark.com domain wants to access a shared resource in the us.bison.com domain.
• User needs to be referred to each domain controller in trust path for authentication.
• To reduce latency times, introduce a short cut trust relationship.
• Short cut trust can be one-way or two-way but is not transitive (only the two domains trust each other, the rest don’t).
aardvark.com
bison.comeu.aardvark.com
us.bison.com
1 hop
2 hops
3 hops
Short cuttrust
(1 hop)
20
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Forest Trusts
• Forest trusts provide two way transitive trust between two connecting forest roots.
• This means that there is transitive trust between:• aardvark.com ßà bison.com• bison.com ßà giraffe.com• But no default forest trust between aardvark.com and giraffe.com
• Only allows authentication to occur between forests - replication does not happen.
aardvark.com
us.aardvark.comeu.aardvark.com
bison.com
nott.bison.comman.bison.com
trust
giraffe.com
us.giraffe.comeu.giraffe.com
trust
21
Net
wor
k D
esig
n &
Adm
inist
ratio
n
External Trusts
• Used to allow a domain external from the forest to access resources.
• Not the same as a forest trust as an external trust is only between two domains (i.e. non-transitive)
• Usually, one way.
aardvark.com
us.aardvark.comeu.aardvark.com
bison.com
nott.bison.comman.bison.com
trust
22
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Realm Trusts• Used to connect a Windows Server 2008 domain to a non-Windows
Kerberos realm.• Can be defined as one-way, two-way, transitive or non-transitive.
• In this example, us.aardvark.com can access tiger.com resources using one-way, non-transitive trust but tiger.com not able to access shared resources in us.aardvark.com
aardvark.com
us.aardvark.comeu.aardvark.com
trusttiger.com
23
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Sites• Logical structure of AD DS is independent to the physical
infrastructure of the network used within the organisation.• Need to consider when designing the organisational structure
where users and resources are going to be located.• A site can be thought of as an area (e.g. Clifton campus) which
has it's own network, comprised of one or more DC's and a number of clients.
• There are a number of reasons for using a site when managing network traffic:• Replication • Authentication• Site-aware network services
24
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Organisational Units
• Microsoft recommend organisations to have relatively few domains and manage the administration by use of OU’s.
• OU’s are containers within domains and can be layered.• OU’s can contain different types of AD DS objects:
• User• Group• Printers• Organisational units• Computers• Shared folders• Contacts• inetOrgPerson
25
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Organisational Units
• Objects are known by their distinguished names (DN) and have attributes – both informative and administrative (e.g. for permissions).
• The Schema sets out the rules to govern what objects can be used and how they are specified.
• The objects in containers (such as users or computers) that cannot contain other objects are called leaf objects.
• Rights & permissions are allocated to containers (and therefore the objects in them).
26
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Domains and Domain Controllers• When a server is promoted to become a Domain
Controller, it hosts a replica of the AD DS database.
• Typically, domains have 2+ DC’s for redundancy because the information is so critical to the workings of the network.
• DC’s copy information between themselves to ensure changes are propagated – this is done via multi-master replication so no need to start from a designated Primary DC. 27
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Integrating DNS & DHCP services• Microsoft encourage the integration of DNS services onto
DC’s[3].• This allows the DNS to make use of replication /
redundancy features provided under Active Directory.• Provides additional security for DNS by use of group
policies (see later).• Avoid need to manage DNS information separately.• When DC also does DHCP, DHCP inherits DC permissions
on DNS records, so advised to configure DHCP server with credentials of a dedicated user account[4].
28
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Domain Controller Issues• AD DS is so important that the domain controller functionality
was designed to allow for controlled restoration from working DC’s.
• A faulty DC can be brought into line with other up-to-date ones by following this sequence:
• Reboot DC under Directory Services Restore Mode (will need to use DSRM password supplied during original DC setting).
• Use backup to get (out of date) DS information.• Restart, indicating non-authoritative restoration to acquire changes
from other DC’s.• Authoritative restores are required when deleted objects need to
be forcibly restored from AD DS backup.
29
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Why is the architecture important?• Active directory involves sharing information
between domain controllers.• To let users/computers in one structure access
facilities in another involves different degrees of exposure depending on domain / tree / forest.
• In large structures with many users and computers, want to minimise replication of information in the global catalogue.
• (will look at the global catalogue in more detail in a later session when working with groups) 30
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Other DC roles: Operations Masters[2]
• Certain roles within AD DS hierarchy are not suited to the replication methods used for Domain Controllers.
• These are called FSMO (Flexible Single Master Operations) or Operation Masters role.
• Need to specify an authoritative server to handle certain directory operations to ensure that consistency is maintained.
• Type of FSMO/Operations Masters roles:• Schema master• Domain naming master• RID master• PDC emulator• Infrastructure master
• Roles must be carefully distributed to allow DC’s to take over after failure.
31
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Other DC roles: Read-Only Domain Controllers[2]
• Same as a “normal” domain controller within a domain. i.e. provides the same functionality (authentication , authorisation, DNS).
• But:-• Is limited • No credentials stored locally.• Authentication requires access to writeable DC to authenticate
requests.• Can not configure RODC with an FSMO role.
• Why use them?• Ideal when physical security of DC can not be guaranteed (e.g. in
an open office with no dedicated machine room)• When storing data on local storage will pose a security risk.
32
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Linux integration
• Microsoft Server 2008 includes Windows Security and Directory Services for Unix to allow Linux/Unix clients in a mixed environment to use AD DS Kerberos for authentication, and LDAP to retrieve authorisation information from either Unix or AD servers.
• Pure Linux can use OpenLDAP to control/share system files and attributes.• e.g. etc/passwd, etc/group, etc/hosts
• (Lab 3 will introduce adding Linux clients to an Active Directory domain)
33
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Summary• Domain services provides functionality to control the logical
structure of an organisation.• Domains are used within a geographical boundary (e.g. in a
single company).• Forests connect multiple domains together.• Forests provide a number of trust relationships for information
to flow between domains.• Organisational units provide structure and act as containers
for resources which can model the real-world company structure.
34
Net
wor
k D
esig
n &
Adm
inist
ratio
n
Next Time & References• Naming and Namespaces• Objects in Active Directory – computers, users and groups.
[1] “Unix and Linux Systems administration handbook”, Nemeth, E. et al, 4th Edition, Chapter 19.3.[2] Windows Server 2008 Active Directory Resource Kit[3] http://technet.microsoft.com/en-us/library/cc771613.aspx[4] http://technet.microsoft.com/en-us/library/cc787034.aspx[5] http://www.exchangeinbox.com/article.aspx?i=30
35